Season 1 - Episode 15 (Pedro Kertzman & Adam Goss) - Cyber Threat Intelligence Podcast

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Adam Goss (00:00):
The innovation in the cybersecurity space comes from
people who have thosecross-domain expertise.

Rachael Tyrell (00:07):
Hello and welcome to Episode 15, season 1,
of your Cyber ThreatIntelligence Podcast.
Whether you're a seasoned CTIexpert, a cybersecurity
professional or simply curiousabout the digital battlefield,
our expert guests and hosts willbreak down complex topics into
actionable insights.
On this episode of Season 1,our host, Pedro Kertzman, will
chat with Adam Goss, who is acybersecurity practitioner and

(00:29):
educator with experience insecurity operations, security
engineering and threatintelligence.
He has worked with MSSPs,international service providers
and within the UKtelecommunications sector.
Additionally, he runs CravenSecurity, a CTI education and
consulting firm that offersaffordable training for
individuals and provides bespokeservices to help companies

(00:49):
enhance their CTI capabilities,leveraging his years of industry
experience.
Over to you, Pedro!

Pedro Kertzman (00:58):
Adam, thank you so much for joining the podcast.
It's really great to have youhere.

Adam Goss (01:03):
Yeah, thanks for having me.
It's great to be on the podcast.
It's really great to have youhere.
It's great to be on the show.

Awesome.
Usually start asking the gueststheir journey into CTI how it
all started your path to maybepivoting into CTI and then what
you're doing currently with CTI.
Would you mind walking usthrough that please?

Adam Goss (01:21):
Yeah, of course.
So, yeah, my path into cti wasa little, um, unconventional.
Uh, starting out, I reallywanted to get into penetration
testing and the offensive sideof things.
So when I was taking mygraduate degree in cyber
security, I focused a lot on thepenetration testing
certifications.
Okay, uh, so things like theoscp and e-learnings, ejpt and

(01:44):
ECCPT, yeah, and I was lookingfor an entry level role in
penetration testing.
As a lot of people who've gonedown that route know, it's not
an easy role to find.
And that led me to join in ASOCfor a large MSSP over here in
Europe, which was fun.

(02:06):
It was managing a lot ofdifferent clients and, yeah,
with different clients comesdifferent challenges and yeah,
it kept me, keeps you on yourtoes.
Yeah, um, from there, um, theywere looking for someone who
specialized in cti and it kindof kind of the skill transfer
across from c fromC role into aCTI role was quite, yeah, quite

(02:26):
a natural one, I guess.
So I decided to take on morethreat intelligence work, which
was fun, and I guess I enjoybeing at like the bleeding edge
of security, seeing what the badguys were doing, and it kind of
fueled me in that regard.
You know, it scratched thatitch of penetration, testing and
offensive side of things.

(02:46):
It was a nice blend of roles.
So once I finished up in thatMSSP role, I moved into a
specialist CTI role at a largeinternational services provider,
which was fun.
It was, yeah, it allowed me tospend more time doing the CTI
work that I really enjoyed and alot of the focus was on more

(03:08):
the operational side of things.
So things like threat hunting,detection, engineering,
translating those TTPs or IOCsinto actionable intelligence
that our SOC team could work on,could work on.
Unfortunately, as many peoplewho work for large organizations

(03:29):
know, it can be difficultworking in that corporate
environment.
There's a lot of red tapeeverywhere.
There's a lot of processes thatdon't get done or are badly
implemented.
So, yeah, I guess I kind of gota little fed up of that and
moved to a more tech-focusedorganization.
Here in the UK we worked in thetelecom space, so that gave me

(03:51):
a lot more freedom andflexibility.
They were kind of, yeah,focused on a lot more on
innovation and moving fastrather than big bureaucracies,
which was fun, rather than bigbureaucracies, which was fun.
But again, with security,there's always that culture
clash of having things move fastand having things be secure, so

(04:11):
that was another challenge towork on.

That's nice.

Adam Goss (04:14):
Yeah, and I guess from my work in the field, it
kind of got me excited to teachothers what I've learned and
help other businesses grow.
So that's where I startedCraven Security, who's offering
training and consulting in theCTI space, and it's more focused
on making CTI accessible.
Working at a lot of theseorganizations, a lot of people

(04:37):
didn't know what cti was, letalone how to use it.
Uh, so I yeah I wanted to teachpeople more about cti and allow
them to get the most out of it,um, for their business as well
that's awesome if people want tocheck more about.

Uh, yeah, craven securitycom, perfect, perfect.
I'll make sure I'll includethat on the description of the
episode as well.
And um, during that, uh, youmentioned the transition from a,
like traditional sock role intothe more specialized cti.
Any like learnings within thatpivoting from the sock to a cti

(05:12):
role, any things you learnedthroughout that process that you
think it would be nice to sharewith the audience as well?

Adam Goss (05:20):
Yeah.
So I think the biggest thingwas bias.
So in SOC you kind of want tobe a bit biased and you want to
act on that bias because itmakes you, it allows you to make
fast decisions.
So say, if you see a bad IPaddress you jump straight to
blocking it.
And that bias kind of helps youdo your job fast.

(05:42):
And especially working at MSSP,you've got to get through a lot
of alerts fast.
So if you know where they'regoing to go and jump to that,
then it saves you a lot of timeand a lot of headache down the
road, whereas in a CTI role it'smore the opposite.
You don't want to be biased,you want to combat that bias and
ask a lot more questions aroundit.

(06:03):
So like, if you got a bad IPaddress, you want to know, like,
where it's coming from, if youguys have seen it before, and
you kind of get more strategicabout the questions you ask
rather than jumping straightinto the action to the action.

That's very interesting Difference between
being biased and not beingbiased from a SOC versus actual
CTI perspective.
Thanks for sharing that.
Anything else like why thatchange happened?
Any other learnings, how thatall played out?

Adam Goss (06:35):
Yeah, so I think for me personally, I got a little
bored of the day-to-day SOCroles, so just dealing with
phishing threats or someoneplaying a game on their laptop
and you don't want them to beplaying.
So, yeah, I think it's more anatural progression as you move
up those SOC levels from L1 toL3, and you get more interested

(06:58):
in the detection side of thingsor the engineering side, and I
think cti is one of those thingsthat you kind of specialize in.
So it's it's more of a like anatural transition, moving from
a sock analyst to a cti analyst,um, and wanting to be more at
the bleeding edge, dealing withthose emerging threats, rather
than just playing whack-a-moleon those ones that you see every

(07:19):
day any like cool things?

what's your like currently day-to-day into the
cti uh role going out nowadays?
Any nice things to share?
Can you walk us through that aswell, please?

Adam Goss (07:33):
yeah, so at the minute I am yes, pretty much
what time between a um, a smalltelecoms provider here in the UK
, and teaching CTI toindividuals and businesses.
So, yeah, a lot of the work Ido for this on my day job for

(07:54):
the small telecoms provider isfocused on the engineering
aspect of CTI as we're lookingto build out our program.
So it'll be things like helpingbuild out the threat
intelligence platform we use,making sure the processors are
in place to get those IOCs andTTP based threat hunts going,
sharing that threat intelligence.
So, yeah, there's not manypeople in our, in our security

(08:19):
team, so a lot of us wear a lotof different hats.
Uh, and yes, a lot of my workis being involved at all those
stages of the cti life cycle.
So, from collecting toanalyzing to disseminating, it's
um, yeah, it's quite involvedthat's.

That's.
That's awesome.
How do you like, uh, once youmove to that more consulting CTI
role, how you do yourupskilling, you know
understanding better CTI trendsand techniques and how to teach
CTI and all that.

Adam Goss (08:52):
Yeah.
So I think we're quitefortunate in the CTI space that
a lot of people like topublicize their work, so, be it
small bloggers online or be itbig CTI vendors who love to
share what they're doing.
So I think the best way to stayon top of all the latest trends
and goings on in the CTI spaceis just, yeah, being online,

(09:13):
being on those blog posts andreading them up, following along
with them, and then on socialmedia platforms as well.
So things like linkedin or x,and keeping up with the
day-to-day uh, what's happeningat the ground level, you know, I
think that's the best way tostay ahead in the game and keep
on learning that's awesome.

how would you, because you mentioned you
started, uh, wanting to go on athreat hunting kind of journey,
and how you would relate thosetwo things like CTI and threat
hunting nowadays with theexperience that you have already
?

Adam Goss (09:48):
Yeah.
So I think CTI can mean a lotof things to a lot of different
people.
It could be focusing on thatstrategic work of delivering
reports to stakeholders, or itcould be turning those
operational indicators intothings that you're sort of going
to act on.
A big part of my backgroundcame from turning those

(10:09):
operational indicators intothreat hunts or detection rules,
and I find that, yeah, quite afun challenge really turning
technical indicators into thingslike sim or edr queries and
rules that make a tangibledifference to our day-to-day
operations.
Um, yeah, I think really Ifound my passion for threat

(10:32):
hunting and the technical sideof cti from my time working for
mssp.
Um, I don't know if youremember this, but a while back
there was the Log4Jvulnerability that was doing the
rounds.

Yeah, yeah, I do .
I lost my Christmas because ofit.
I do remember that was a bigone.

Adam Goss (10:54):
Yeah, so this was a big one at the time, especially
around December, impacted a lotof people's christmases,
unfortunately, uh.
But yeah, it was a big uh, abig vulnerability in the apache
log 4j service, um, and a lot ofour clients were using this as
a web facing service, um.
So, yeah, I guess I was alittle, a little bored, maybe

(11:17):
over the Christmas period Thingswere slowing down.
So, yeah, I took it upon myselfto read a blog article that was
doing the rounds about threathunting for active exploitation
of this popular vulnerability.
And then, yeah, I decided tospin up my own vulnerable
service Thanks to Vaughn Hub,who have a bunch of vulnerable

(11:38):
services you can freely downloadand spin up in Docker or
virtual machines and, luckilyenough, I found a POC on the
exploit doing the rounds as well.
It was, yeah, it was thatpopular.
So I, yeah, aimed at thisvulnerable service, I spun up,
triggered it and then decided totry and write a threat hunting

(12:00):
rule to try and find signs ofthat exploitation.
And, yeah, that little,probably like a week project
really got me passionate forthat threat hunting.
It was very satisfying to gofrom seeing a write-up on the
internet to finding a POC in avulnerable service and then
having your own threat huntingrule that you can push across

(12:22):
thousands or tens of thousandsof clients to try and find that
in the in the wild that's verynice.

Thanks for sharing.
You mentioned that moretechnical aspect on the threat
hunting, doing pocs and all that.

Adam Goss (12:34):
Any like interesting case around those more technical
details and how you transferthat into into cti um, yeah, so
I think the longer you've beenin the uh the defensive game,
the more and more reverseengineering or malware analysis
skills you learn as you as youprogress again through those
stock levels or if you get intocti and want to compensate your

(12:57):
skill set with something a bitmore out there.
And yeah, I guess my backgroundin malware analysis came from
when I was working at a largeservice provider and we were
doing our daily threat hunts andwe came across an obfuscated
PowerShell command and, yeah, wedidn't have a malware analysis

(13:28):
team at the time.
So it fell upon uh myself andthe rest of our cti team to try
and figure out what was going onwith this uh fileless malware.
Um, yes, I guess, long storyshort, we found it to be a
default uh cobalt strike beaconthat was uh beginning out to a
c2 server.
so, yeah, that'll uh, that'llwake you up on a friday oh,
obviously, yeah, yeah um, yeah,and then, yeah, through, uh,

(13:51):
through a bit more analysis, wefound, uh, the infrastructure
that was being used to host thisc2 server and we could do some
c2 hunting.
And, yeah, I found some IOCsthat can be blocked by the SOC
on a on a follow-up report and,yeah, eventually passed
responsibility over to them.
Um, so it all seemed.
It all seemed good at the time.
We closed out our Friday and wecould enjoy our weekends.

(14:15):
Uh, unfortunately, the next weekwe uh found out that there'd
been a bit more to thisobfuscated PowerShell command
and we had a ransomware outbreak.
I guess that kind of led meinto why I wanted to improve the
people and processes that goaround with security, because I

(14:35):
guess this was quite a goodexample of so, if you have the
three plus of security, you havetechnology, processes and
people.
This was quite a good exampleof having that technology in
place that we found this badthing, but then we didn't have
the people or processes to dealwith it, and that kind of got me
thinking about maybe I shouldinvest more of my time, rather

(14:56):
than deploying thesetechnologies, maybe teaching the
people and businesses to havethese processes in place that
they can do with this kind ofthreat and that's, yeah, kind of
kind of the origin story forCraven Security, about more
training rather than just buyingthe latest tech that's amazing,
super insightful, thank you,and I could not agree more.

People gotta be aware of the importance of not
only the latest shiny tool.
If you don't put that into gooduse, it's just probably a waste
of budget, right?
So that's uh, that's soimportant.
Probably a little bit of a whythe podcast as well, just to
make sure people understand allthe bits and parts of the cti,

(15:40):
or why cti is so important as awhole, not only the technical
aspect, but how to implementthose measures to prevent that
kind of stuff, especially onFridays, worst day of the week.
Yeah, exactly Exactly, and anythings that you know through all
.
I think people now understand afair amount of your journey and

(16:03):
the things you experienced andyour, your and your knowledge
around around cti.

Adam Goss (16:09):
Anything that you know specifically today that you
wish, let's say, you knew backin the day when you first
started pivoting into into yourcti career um, yeah, I guess, I
guess, uh, throughout my careerthere's been a lot of like
learning points where I've hadthese realizations that I'd wish
, wish I could go back and tellmy younger self um, I think one

(16:32):
of the main ones is aroundconfidence.
You'd see senior uh sockanalysts or threat intelligence
analysts going away doingamazing things and you'd think
why, why can't I do that?
And I think over time you learnthat by repetition and by
showing up every day and tryingto get better, that it builds
that confidence that you can gointo these situations and handle

(16:55):
them.
Because, yeah, that first timewe we found ransomware in the
environment, it was very, veryscary and you don't have the
confidence to deal with it, youknow.
But if you show up every dayand you, the more incidents you
encounter and the more uh, themore threat intelligence you go
through that life cycle, themore confidence you get in your

(17:15):
own abilities.
And I think it's important topoint out that it's not, it's
not a race as well.
It's more, more aboutconsistency.
That builds a great career.
Rather than trying to be thefirst one to finish or trying to
get through 12-hour days, sevendays a week, it's showing up
every day and not burningyourself out.
I think that's what I tell myyounger self focus on being

(17:39):
consistent, showing up, tryingto learn every day and trying to
make a difference, rather thanjust burning yourself out in a
couple of weeks.
So I think what I've noticed,being in a few different
industries, is that theinnovation in the cybersecurity

(18:01):
space comes from people who havethose cross-domain expertise,
comes from people who have thosecross-domain expertise, so
something like a CTI analyst whocan program, or a CTI analyst
who knows a bit about marketingand can put the word out there
about threats.
I think that's where theinnovation lies.
So if you can upskill in thosecross-domain expertise, I think
you're on to a winner and youcan be a real unicorn in the

(18:22):
industry and stand out.

Oh, I love that.
Funny enough, I think it's fairto say within the last episodes
of the podcast we have peoplefrom so many different
backgrounds and I totally agreewith you.
Let's say, of course you knowwe always learn from threat
reports and feeds and all theinformation that we are usually
exposed to from a CTI day-to-dayperspective.

(18:46):
But what about the industry?
How the industry is shaping therole of CTI analysts or leaders
.
Are they shaping or reshapingcurrently?
How do you learn that stuff?
Where are your go-to sourcesfor that type of knowledge as
well?

Adam Goss (19:05):
that stuff?
Where are your go-to sourcesfor that type of knowledge as
well?
Yeah, so yeah, being ctianalysts, we're listed with uh
threat feeds every day,definitely, and it's yeah, it's
a great, great way to see thetactical stuff and the
operational stuff that'shappening.
But I think a lot of uh there's.
There's still quite a few gooduh vendors or cTI vendors out
there that provide some goodoverall landscape reports and a

(19:26):
bit more high level rather thanjust focusing on the day-to-day
stuff.
So things like Red Canary, whoput out a lot of good resources
on detection engineering andtrends that they're seeing
across their space.
Two prominent EDR vendors whosee a lot of the threat
landscape and can provide thoselong reports about where they

(19:47):
see trends going and thebusiness impact across multiple
sectors.
And then finally, like a bigshout out to the DFIR report,
who, if you read their articles,you're definitely upscaling in
that analysis work and they deepdive into the um, into the
finer details of what goes on inan investigation, and if you

(20:08):
can mimic what they're doing, Ithink you think you're onto a
winner that's awesome and anyother like learning sources that
you would recommend as wellyeah.
So if so, aside from theindustry trends and what's going
on in the industry, I alwaysthink it's valuable to get
hands-on experience with CTI.
So platforms like TryHackMe orHackTheBox and their Sherlock's

(20:30):
for blue teamers I think they'regreat platforms to just go and
have a play around and gethands-on training with CTI
topics, soc topics, malwareanalysis topics and if you can
broaden your skill set usingthose platforms, it really helps
in your CTI work.

That's awesome and any like I don't know, maybe
conferences, meetups, othergatherings of CTI folks that
you've heard of or been in thatyou would recommend as well.

Adam Goss (21:04):
So, yeah, definitely, if you can afford it, I'd
recommend the Black HatConferences.
They have a lot of goodtraining and meetups there and
it's less focused on the vendorsand more focused on training.
So I definitely recommend BlackHats.
For the community aspect, Ithink B-Sides is pretty well
covered across the world really.
So if you can get to a localB-Sides hangout, that's a great

(21:26):
place to meet peers and discussabout what's going on and
there's a lot of learningopportunities there and
networking.
So, yeah, definitely try andfind your local B-Sides.

That's awesome and any, let's say, books that
you remember as well, that youread, that might be worth to
people trying to learn somethingabout CTI from from those ones
as well yeah, of course there'sbeen three books over the past
few months that I've read thatfound quite, quite useful and
quite good for CTI analysts toread.

Adam Goss (21:58):
The first one is called intelligence driven
incident response and it relatesthe feed intelligence lifecycle
, which is quite an operationalone, to intrusion analysis and
incident response.
So it walks you through thesteps of the feed lifecycle.
So you have find, fix, finish,exploit, disseminate, find, fix,

(22:26):
finish, exploit, disseminate,and it walks you through those
steps about how you can apply itto an incident response
activity and how you can useintelligence to drive your
analysis and really scope theenvironment and make sure that
you're clear.
Another book I've read iscalled Intrusion Detection
Honeypots, which focuses on theactive defence and deception

(22:49):
side of things in terms of CTI.
So it walks you through how tobuild out a honeypot
infrastructure and trapadversaries in your networks.
So it's quite a good hands onbook that I found really
interesting.
And then, finally, one that'smore focused on strategic
intelligence that I've lovedreading recently is called

(23:10):
critical thinking for strategicintelligence and it goes through
20 questions that you shouldask when you're generating a
piece of strategic threatintelligence and it kind of
walks you through the stepsabout how you can take raw data
and turn it into something thata stakeholder will find
actionable and reportable.
Yeah, and it's, yeah, highlyrecommend it.

That's very nice .
From hands-on technical booksinto more strategic ones.
That's super nice.
Thanks for sharing that.
I'll make sure I include thename of the books as well on the
description of the of theepisode perfect.
Thanks so much, and any otherlearning sources that you can
think of um, yeah, so I thinkcti can be.

Adam Goss (23:54):
It can be quite hard to get into because the main
training course is obviously theone from s and that can be
quite expensive for individualsto purchase.
So a couple of good, affordabletraining options that I found
are the ArcX threat intelligencecourses that walk you from
being a beginner to an advancedpractitioner.

(24:15):
I'd recommend checking thoseout.
And then there's also severalcourses by by applied network
defense that focus on theanalytical skills, so things
like cyber chef or or intrusionanalysis, and I think they're
great for any and that and Ithink they're great for any

(24:36):
analyst to get their hands onand and play around with.
They really teach you the uh,the fundamentals of doing that
analysis work and walk youthrough an investigation and uh
many closing thoughts, uh thingsabout cti you would like to to
mention as well uh.
So, yeah, I think in cyber wecan.
We can get caught up in theday-to-day stuff a lot and

(24:57):
forget to have, forget why wegot into the industry.
You know, I think that it canbe.
Uh, it can be a bit drainingdoing the day-to-day work,
dealing with that corporate life, dealing with the doom
mongering and internal politics,and it can get you down.
And I think it's important tofocus on trying to have fun.
You know, like it's it's workat the end of the day, but we're

(25:20):
not out here saving lives andwe can put a lot of pressure on
what we do and at the end of theday, but we're not out here
saving lives and we can put alot of pressure on what we do
and at the end of the day it'sjust work.
I think we should focus ontrying to have fun and bring a
bit of lightheartedness to whatwe do.
And, yeah, I guess above all,you should value health and

(25:41):
family and treat work as justwork.
You know, it's just a bit, it'sjust some fun.
Don't take yourself tooseriously and, yeah, remember
that it's quite fortunate thework we do.
You know, being in CTI andcyber, there's a lot of career
perks and not to focus too muchon the work and do the stuff
that you enjoy in the work.
You know I enjoy doing theanalysis work and sharing that

(26:02):
and I try to do as much of thatwork as I can so it so work
stays fun and I don't burnmyself out.
There's always going to be theinternal politics and stuff, but
I think if you approach eachday looking at the bright side
of things and focusing on thefun aspect of cti, being curious
and always wanting to learnthat, then it's a great ride.

(26:23):
So, yeah, just focus on whatyou enjoy.

I'd say Perfect.
I love that, adam, thank you somuch for sharing your knowledge
with us.
I really appreciate all theinsights and I hope I'll see you
around, thank you.

Adam Goss (26:38):
It's been great.

Rachael Tyrell (26:41):
And that's a wrap.
Thanks for tuning in.
If you found this episodevaluable, don't forget to
subscribe, share and leave areview.
Got thoughts or questions?
Connect with us on our LinkedIngroup Cyber Threat Intelligence
Podcast.
We'd love to hear from you Ifyou know anyone with CTI
expertise that would like to beinterviewed in the show.
Just let us know.
Until next time, stay sharp andstay secure.

(27:03):
We'll be right back.

All Episodes

Season 1 - Episode 15 (Pedro Kertzman & Adam Goss)

Episode Transcript

Popular Podcasts

Stuff You Should Know

Dateline NBC

The Joe Rogan Experience

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Season 1 - Episode 15 (Pedro Kertzman & Adam Goss)